-
Nick Thomas authored
When a request's path resolved to a directory on disk and lacked a trailing slash character, we issue a 302 Found redirect to the request's path, plus the missing trailing slash. However, some request paths are valid absolute URIs (particularly protocol-neutral //example.com URIs), so this was an open redirect vulnerability. This problem is avoided by generating a URI from the actual location of a file that we want to present. There were also numerous potential bypasses of other security checks for inferred index.html files and custom error pages; this commit closes these holes at the same time by recursively running the checks if necessary.